Ghostwriter Is Back, Using a Ukrainian Learning Platform as Bait to Hit Government Targets

The resurgence of Ghostwriter underscores how state‑aligned threat actors adapt classic phishing tactics to local contexts. By leveraging Prometheus, a platform widely adopted by Ukrainian civil servants, the group increases email credibility and bypasses generic security awareness training. This approach mirrors earlier campaigns where familiar services were weaponized, highlighting the importance of contextual threat intelligence that accounts for regional digital ecosystems.

Technical analysis reveals a multi‑stage loader chain: a PDF‑embedded link delivers a ZIP archive, which extracts OYSTERFRESH JavaScript. The script presents a decoy document while silently writing OYSTERBLUES into the registry and fetching OYSTERSHUCK to decode it. Once active, OYSTERBLUES harvests system metadata and communicates with a Cobalt Strike command‑and‑control server, enabling attackers to execute arbitrary code and maintain persistence. The use of Cloudflare‑protected .icu domains further obscures the infrastructure, complicating attribution and takedown efforts.

For defenders, the incident reinforces the need for layered controls beyond user education. Restricting wscript.exe execution for standard accounts eliminates a common JavaScript execution path, dramatically reducing the attack surface. Organizations should also enforce strict attachment scanning, implement sandboxing for PDF content, and monitor for anomalous registry writes linked to known loader signatures. Continuous monitoring of network traffic for outbound HTTP POSTs to suspicious domains can provide early indicators of compromise, allowing rapid response before a full Cobalt Strike foothold is established.